Healthcare is a great test "case"/area for many of these emerging technology areas. My understanding from covering insurance is that providers (doctors, mainly) are ironically resistant to change and don't like to have new systems imposed on them, even if there are proven benefits. So any successes in educating providers about benefits, policy, process, etc., should provide some real best practices to other industries. Thanks for your insights.

Great example. When it comes to security and compliance, technology can't meet the demands alone. Companies need training and education of employees to enforce the rules. CISOs are also facing this challenge. Many thought that a good firewall or other security technology was enough. But all employees need to be aware of threats and, in this case, potential HIPAA violations.

In healthcare (just like in banking with SOX), not having a good BYOD policy can result in large HIPAA fines, so a good BYOD policy is very important but it is really the education of staff about the policy that will make it a success or failure. An good example is that our hospital put a BYOD policy in place to use Tigertext for HIPAA and SOX complient text messaging, but the doctors still used their unsecure regular SMS text messaging. Even though we had a good BYOD policy, it wasn't enough, we had to bring each doctor in to admin for training and explaining the HIPAA issues and how to use the app correctly. Now we have most of the doctors in compliance which has significently lowered the HIPAA risks and increased productivity for the doctors and the hospital. Here is an example of a BYOD policy similar to ours: http://www.hipaatext.com/wp-co...

Thanks for the note. There are a variety of ways to secure BYO devices. Sometimes, a firm insists on the ability to lock down the entire device, but this doesn't seem to be the preferred way anymore. Sometimes, a firm can secure the data on the device (in a wrapper, or box). Or, as you mentioned, a firm can secure the connection to the corporate systems that house the data.

BYOD will continue growing as mobile devices continue to play a greater role in our lives. That's why most major IT players are offering solutions to address such BYOD challenges as security and device management.

Does BYOD come with headaches? Of course it does. However, security issues and IT management headaches (how do I support all those devices?) can be addressed by using new HTML5 technologies that enable users to connect to applications and systems without requiring IT staff to install anything on user devices. For example, Ericom AccessNow is an HTML5 RDP client that enables remote users to securely connect from iPads, iPhones and Android devices to any RDP host, including Terminal Server and VDI virtual desktops, and run their applications and desktops in a browser. This enhances security by keeping applications and data separate from personal devices.

Since AccessNow doesn't require any software installation on the end user device Gă˘ just an HTML5 browser, network connection, URL address and login details - IT staff end up with less support hassles. The volunteer or temporary employee that brings in their own device merely opens their HTML5-compatible browser and connects to the URL given them by the IT admin.

I would have assumed any company with a BYOD policy was already buying the devices for employees, rather than giving them a stipend to purchase what they want, but if many are still doing the latter, it seems very unsecure. The company buying the device would allow IT to install the necessary security controls before issuing to the employee.

It seems that BYOD and mobile security is no longer about the device. Instead, mobile security is about securing the data on the device. Some FIs no longer care what device you use. Instead, the company encrypts and secures a portion of the device that holds corporate data. In the event of a compromised device, the company can wipe the "company" data on the device, while the rest of the device remains untouched.

Interesting stuff. I do wonder about #3, though. When it comes to financial institutions, sometimes it's not so much "bring your own device" as it is "you can use the device you prefer from the selection of the most popular handsets and OSes." I don't think this is a bad approach Gă÷ I think in a highly regulated industry where security is paramount, it's important to ensure that IT understands the environment through which data is being moved.